Category: EU

French CNIL highlights its data protection enforcement priorities for 2022

25. February 2022

Following complaints received, but also on its own initiative, the French data protection supervisory authority Commission Nationale Informatique et Liberté (hereinafter ‘CNIL’) carries out checks, also based on reports of data protection violations. CNIL has published three topics for 2022 on which it will focus in particular. These topics are: commercial prospecting, surveillance tools in the context of teleworking, and cloud services.

With regard to commercial prospecting, CNIL draws particular attention to unsolicited advertising calls, which are a recurring complaint to CNIL in France.

In February 2022, CNIL published a guideline for “commercial management”, which is particularly relevant for commercial canvassing.

Based on this guideline, CNIL will control GDPR compliance. The focus here will be on professionals who resell data.

Regarding the monitoring tools for teleworking, identified as CNIL’s second priority, CNIL aims to assist in balancing the interests of protecting the privacy of workers who have the possibility of home office due to COVID-19 and the legitimate monitoring of activities by informing the rules to be followed for this purpose. CNIL believes that employers need to be more strictly controlled in this regard.

Last but not least, CNIL draws particular attention to the potential data protection breaches regarding the use of cloud computing technologies. Since massive data transfers outside the European Union can be considered here in particular, activities in this area must be monitored more closely. For this purpose, CNIL reserves the right to focus in particular on the frameworks governing the contractual relationships between data controllers and cloud technology providers.

CNIL judges use of Google Analytics illegal

14. February 2022

On 10th February 2022, the French Data Protection Authority Commission Nationale de l’Informatique et des Libertés (CNIL) has pronounced the use of Google Analytics on European websites to not be in line with the requirements of the General Data Protection Regulation (GDPR) and has ordered the website owner to comply with the requirements of the GDPR within a month’s time.

The CNIL judged this decision in regard to several complaints maybe by the NOYB association concerning the transfer to the USA of personal data collected during visits to websites using Google Analytics. All in all, NOYB filed 101 complaints against data controllers allegedly transferring personal data to the USA in all of the 27 EU Member States and the three further states of European Economic Area (EEA).

Only two weeks ago, the Austrian Data Protection Authority (ADPA) made a similar decision, stating that the use of Google Analytics was in violation of the GDPR.

Regarding the French decision, the CNIL concluded that transfers to the United States are currently not sufficiently regulated. In the absence of an adequacy decision concerning transfers to the USA, the transfer of data can only take place if appropriate guarantees are provided for this data flow. However, while Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, the CNIL deemed that those measures are not sufficient to exclude the accessibility of the personal data for US intelligence services. This would result in “a risk for French website users who use this service and whose data is exported”.

The CNIL stated therefore that “the data of Internet users is thus transferred to the United States in violation of Articles 44 et seq. of the GDPR. The CNIL therefore ordered the website manager to bring this processing into compliance with the GDPR, if necessary by ceasing to use the Google Analytics functionality (under the current conditions) or by using a tool that does not involve a transfer outside the EU. The website operator in question has one month to comply.”

The CNIL has also given advice regarding website audience measurement and analysis services. For these purposes, the CNIL recommended that these tools should only be used to produce anonymous statistical data. This would allow for an exemption as the aggregated data would not be considered “personal” data and therefore not fall under the scope of the GDPR and the requirements for consent, if the data controller ensures that there are no illegal transfers.

EDPS sanctions European Parliament for unlawfully transfered data to the US

25. January 2022

The European Data Protection Supervisor (EDPS) ruled that the European Parliament (EP) offended against a judgement of the European Court of Justice (ECJ) by transferring data to the US using US origin tech tools on their website for COVID-19 tests. This judgement relies on a complaint that involves misleading cookie banners, uncertain data privacy statements and unlawful data transfers from the EU to the US.

The ECJ makes clear that the transfer of personal data from the EU to the US is topic of strict conditions. Websites can only transfer data to the US if a certain security level is given. In this case there was not such a security level available.

The misleading cookie banners were so vague that the cookies were not listed in total and some differences between language options became appearent. Therefore, the website users could not give their valid consent.

Furthermore, the data privacy information were not clear and transparent, in that they refer to an incorrect legal basis for the processing. The given references were also in violation of transperency and requests of information.

Even during the process the EP tried to improve the technical deficits.

The EDPS issued a caution because in contrast to national data protection authorities it can only sentence under certain conditions, which were not given in this case. In result, it imposed a cease and desist order with a one month deadline for the EP to adjust the compliance.

(Update) Processing of COVID-19 immunization data of employees in EEA countries

21. January 2022

With COVID-19 vaccination campaigns well under way, employers are faced with the question of whether they are legally permitted to ask employees about their COVID-19 related information and, if so, how that information may be used.

COVID-19 related information, such as vaccination status, whether an employee has recovered from an infection or whether an employee is infected with COVID-19, is considered health data. This type of data is considered particularly sensitive data in most data protection regimes, which may only be processed under strict conditions. Art. 9 (1) General Data Protection Regulation (GDPR)(EU), Art. 9 (1) UK-GDPR (UK), Art. 5 (II) General Personal Data Protection Law (LGPD) (Brazil), para. 1798.140. (b) California Consumer Privacy Act of 2018 (CCPA) (California) all consider health-related information as sensitive personal data. However, the question of whether COVID-19-related data may be processed by an employer is evaluated differently, even in the context of the same data protection regime such as the GDPR.

Below, we discuss whether employers in different European Economic Area (EEA) countries are permitted to process COVID-19-related data about their employees.

Austria: The processing of health data in context of the COVID-19 pandemic can be based on Article 9 (2) (b) of the GDPR in conjunction with the relevant provisions on the duty of care (processing for the purpose of fulfilling obligations under labor and social law). Under Austrian labor law, every employer has a duty of care towards its employees, which also includes the exclusion of health hazards in the workplace. However, this only entitles the employer to ask the employee in general terms whether he or she has been examined, is healthy or has been vaccinated. Therefore, if the legislator provides for two other equivalent methods to prove a low epidemiological risk in addition to vaccination, the current view of the data protection authority is that specific questioning about vaccination status is not possible from a data protection perspective. An exception to this is only to be seen in the case of an explicit (voluntary) consent of the employee (Art. 9 (2) a) GDPR), but a voluntary consent is not to be assumed as a rule due to the dependency relationship of the employee.
As of November, employees will be obliged to prove whether they have been vaccinated, recovered from a COVID-19 infection or recently tested negative if they have physical contact with others in enclosed spaces, such as the office.

Austria was the first EU country to introduce mandatory Corona vaccination. From the beginning of February, Corona vaccination will be mandatory for all persons over 18 years of age, otherwise they will face fines of up to 3,600 euros from mid-March.

Belgium: In Belgium, there is no legal basis for the processing of vaccination information of employees by their employer. Article 9 (1) GDPR prohibits the processing of health data unless an explicit exception under Article 9 (2) GDPR applies. Such an exception may be a legal provision or the free and explicit consent of the data subject. Such a legal provision is missing and in the relationship between employee and employer, the employee’s consent is rarely free, as an employee may be under great pressure to give consent. The Belgian data protection authority explicitly denies the employer’s right to ask.

The Belgian government plans to make vaccination mandatory for health workers from April 2022.

Finland: The processing of an employee’s health data is only permitted if it is directly necessary for the employment relationship. The employer must carefully assess whether this necessity exists. It is not possible to deviate from this necessity by obtaining the employee’s consent. The employer may process an employee’s health data if this is necessary for the payment of sick pay or comparable health-related benefits or to establish a legitimate reason for the employee’s absence. The processing of health data is also permitted if an employee expressly requests that his or her ability to work be determined on the basis of health data. In addition, the employer is entitled to process an employee’s health data in situations expressly provided for by law. The employer may require occupational health care to provide statistical data on the immunization coverage of its employees.

France: In general employers may not require their employees to disclose whether they have been vaccinated, unless specific circumstances determined by law apply.

In France, mandatory vaccination has been in effect since mid-September for healthcare workers, i.e., employees of hospitals, retirement and nursing homes, care services, and employees of emergency services and fire departments.

Since July 21st, 2021, a “health passport” is mandatory for recreational and cultural facilities with more than 50 visitors, such as theaters, cinemas, concerts, festivals, sports venues. The health passport is a digital or paper-based record of whether a person has been vaccinated, recovered within 11 days to 6 months, or tested negative within 48 hours. Due to the Health Crisis Management Law No 2021-1040 of August 5, 2021 there are several workplaces where the health pass is mandatory for employees since August 30th, 2021. These include bars, restaurants, seminars, public transport for long journeys (train, bus, plane The health passport is also mandatory for the staff and visitors of hospitals, homes for the elderly, retirement homes, but not for patients who have a medical emergency.Visitors and staff of department stores and shopping malls need to present a health pass in case the prefect of the department decided this necessary. In these cases, the employer is obliged to check if his employees meet their legal obligations. However, the employer should not copy and store the vaccination certificates, but only store the information whether an employee has been vaccinated. Employers who do not fall into these categories are not allowed to process their employees’ vaccination data. In these cases, only occupational health services may process this type of information and the employer may not obtain this information under any circumstances. At most, he may obtain a medical opinion on whether an employee is fit for work.

Germany: Processing of COVID-19-related information is generally only allowed for employers in certain industries. Certain employers named in the law, such as in §§ 23a, 23 Infection Protection Act (IfSG), employers in certain health care facilities (e.g. hospitals, doctors’ offices, rescue services) and § 36 (3) IfSG, such as day care centers, outpatient care services, schools, homeless shelters or correctional facilities, are allowed to process the vaccination status of their employees.

Other employers are generally not permitted to inquire about the vaccination status of employees. But since §28b IfSG came into force on November 24, 2021, employees may only be granted access to company premises if they can prove that they have either been vaccinated, recently recovered or tested negative (so-called “3G status”). In this context, employers may require employees to provide proof of one of the three statuses but may not specifically ask about vaccination status. When it comes to processing and storing information obtained during access control, for data protection reasons, this information must be limited to the fact that employees have access to the premises (taking into account their documented status) and how long this access authorization has existed.

Under current law, while “vaccinated” status does not expire, the information may only be stored for 6 months. “Recently recovered” status is only valid for three months. After that, they must provide other proof that they meet one of the 3G criteria. A negative test is valid for either 24 or 48 hours, depending on the type of test.

Since November 2021, employers are required to verify whether an employee who has been sanctioned with a quarantine for COVID-19 infection was or could have been vaccinated prior to the infection. Under the fourth sentence of Section 56 (1) of the IfSG, an employee is not entitled to continued payment for the period of quarantine if the employee could have avoided the quarantine, e.g., by taking advantage of a vaccination program. The employer must pay the compensation on behalf of the competent authority. As part of this obligation to make an advance payment, the employer is also obliged to check whether the factual requirements for granting the benefits are met. The employer is therefore obliged to obtain information on the vaccination status of its employee before paying the compensation and to decide on this basis whether compensation can be considered in the individual case. The data protection law basis for this processing activity is Section 26 (3) of the German Federal Data Protection Act (BDSG), which permits the processing of special categories of personal data – if this is necessary for the exercise of rights or the fulfillment of legal obligations under labor, social insurance and social protection law and there is no reason to assume that the interests of the data subjects worthy of protection in the exclusion of the processing outweigh this. The Data Protection Conference, an association of German data protection authorities, states that processing the vaccination status of employees on the basis of consent is only possible if the consent was given voluntarily and thus legally valid, Section 26 (3) sentence 2 and (2) BDSG. Due to the relationship of superiority and subordination existing between employer and employee, there are regularly doubts about the voluntariness and thus the legal validity of the employees’ consent.

If employers are allowed to process the vaccination status of their employees, they should not copy the certificates, but only check to see if an employee has been vaccinated.

A mandatory vaccination for all german citizens is being discussed.

Greece: Corona vaccination became mandatory for nursing home staff in mid-August and for the healthcare sector on September 1. Since mid-September, all unvaccinated professionals have had to present a negative Corona rapid test twice a week – at their own expense – when they go to work.

Italy: Since October 15, Italy has become the first country in the EEA to require all workers to present a “green passport” at the workplace. This document records whether a person has been vaccinated, recovered, or tested. A general vaccination requirement has been in effect for health care workers since May, and employees in educational institutions have been required to present the green passport since September. In mid-October, mandatory vaccination was extended to employees of nursing homes.

Netherlands: Currently, there is no specific legislation that allows employers to process the vaccination data of their employees. Government guidelines for employers state that neither testing nor vaccination can be mandated for employees. Only occupational health services and company physicians are allowed to process vaccination data, for example, when employees are absent or reinstated. The Minister of Health, Welfare and Sport has announced that he will allow the health sector to determine the vaccination status of its employees. He also wants to examine whether and how this can be done in other work situations. Currently, employers can only offer voluntary testing in the workplace, but are not allowed to document or enforce the results of such tests.

Spain: Employers are allowed to ask employees if they have been vaccinated, but only if it is proportionate and necessary for the employer to fulfill its legal obligation to ensure health and safety in the workplace. However, employees have the right to refuse to answer this question. Before entering the workplace, employees may be asked to provide a negative test or proof of vaccination if the occupational health and safety provider deems it necessary for the particular workplace.

European Commission adopts South Korea Adequacy Decision

30. December 2021

On December 17th, 2021, the European Commission (Commission) announced in a statement it had adopted an adequacy decision for the transfer of personal data from the European Union (EU) to the Republic of Korea (South Korea) under the General Data Protection Regulation (GDPR).

An adequacy decision is one of the instruments available under the GDPR to transfer personal data from the EU to third countries that ensure a comparable level of protection for personal data as the EU. It is a Commission decision under which personal data can flow freely and securely from the EU to the third country in question without any further conditions or authorizations being required. In other words, the transfer of data to the third country in question can be handled in the same way as the transfer of data within the EU.

This adequacy decision allows for the free flow of personal data between the EU and South Korea without the need for any further authorization or transfer instrument, and it also applies to the transfer of personal data between public sector bodies. It complements the Free Trade Agreement (FTA) between the EU and South Korea, which entered into force in July 2011. The trade agreement has led to a significant increase in bilateral trade in goods and services and, inevitably, in the exchange of personal data.

Unlike the adequacy decision regarding the United Kingdom, this adequacy decision is not time-limited.

The Commission’s statement reads:

The adequacy decision will complement the EU – Republic of Korea Free Trade Agreement with respect to personal data flows. As such, it shows that, in the digital era, promoting high privacy and personal data protection standards and facilitating international trade can go hand in hand.

In South Korea, the processing of personal data is governed by the Personal Information Portection Act (PIPA), which provides similar principles, safeguards, individual rights and obligations as the ones under EU law.

An important step in the adequacy talks was the reform of PIPA, which took effect in August 2020 and strengthened the investigative and enforcement powers of the Personal Information Protection Commission (PIPC), the independent data protection authority of South Korea. As part of the adequacy talks, both sides also agreed on several additional safeguards that will improve the protection of personal data processed in South Korea, such as transparency and onward transfers.

These safeguards provide stronger protections, for example, South Korean data importers will be required to inform Europeans about the processing of their data, and onward transfers to third countries must ensure that the data continue to enjoy the same level of protection. These regulations are binding and can be enforced by the PIPC and South Korean courts.

The Commission has also published a Q&A on the adequacy decision.

CNIL posts guidance on use of third-party cookie alternatives

16. December 2021

France’s data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), has published a guidance on the use of alternatives to third-party cookies.

The guidance aims to highlight that there are other ways to track users online than through third-party cookies, and that it is important to apply data protection principles to new technologies with tracking ability.

In the guidance, the CNIL gives an overview on what cookies are and the difference between first-party and third-party cookies, as well as the meaning of the two for personalized advertisement targeting.

It also highlights consent management and collection as being the key role to ensure a data protection compliant online tracking culture for new tracking methods and technologies. Further, the guidance also emphasizes that consent is not the only important requirement. In addition, online tracking and targeting methods should ensure that users keep control of their data and that all data subject rights are allowed and facilitated.

In light of this, the CNIL has gone ahead and published a guide for developers to help outline how to implement data protection compliant third-party cookies and other tracers in order to sensibilize people that are part of the implementation process as to how to stay compliant.

However, the CNIL also issued about 60 cookie compliance notices and 30 new orders to organizations for not offering users a data protection compliant ability to refuse cookies.

The CNIL has stepped up efforts to tackle cookie management and consent in order to ensure the rights and freedom of the data subjects in relation to their personal data online are kept safe. It has made clear that cookies are its main focus for the upcoming year, and that it will continue to hold companies liable for their insufficient data protection implementation.

EU commission working on allowing automated searches of the content of private and encrypted communications

25. November 2021

The EU Commission is working on a legislative package to combat child abuse, which will also regulate the exchange of child pornography on the internet. The scope of these regulations is expected to include automated searches for private encrypted communications via messaging apps.

When questioned, Olivier Onidi, Deputy Director General of the Directorate-General Migration and Home Affairs at the European Commission, said the proposal aims to “cover all forms of communication, including private communication”.

The EU Commissioner of Home Affairs, Ylva Johansson, declared the fight against child sexual abuse to be her top priority. The current Slovenian EU Council Presidency has also declared the fight against child abuse to be one of its main priorities and intends to focus on the “digital dimension”.

In May 2021, the EU Commission, the Council and the European Parliament reached a provisional agreement on an exemption to the ePrivacy Directive that would allow web-based email and messaging services to detect, remove, and report child sexual abuse material. Previously, the European Electronic Communications Code (EECC) had extended the legal protection of the ePrivacy Directive to private communications related to electronic messaging services. Unlike the General Data Protection Regulation, the ePrivacy Directive does not contain a legal basis for the voluntary processing of content or traffic data for the purpose of detecting child sexual abuse. For this reason, such an exception was necessary.

Critics see this form of preventive mass surveillance as a threat to privacy, IT security, freedom of expression and democracy. A critic to the agreement states:

This unprecedented deal means all of our private e-mails and messages will be subjected to privatized real-time mass surveillance using error-prone incrimination machines inflicting devastating collateral damage on users, children and victims alike.

However, the new legislative initiative goes even further. Instead of allowing providers of such services to search for such content on a voluntary basis, all providers would be required to search the services they offer for such content.

How exactly such a law would be implemented from a technical perspective will probably not be clear from the text of the law and is likely to be left up to the providers.
One possibility would be that software checks the hash of an attachment before it is sent and compares it with a database of hashes that have already been identified as illegal once. Such software is offered by Microsoft, for example, and such a database is operated by the National Center of Missing and Exploited Children in the United States. A hash is a kind of digital fingerprint of a file.
Another possibility would be the monitoring technology “client-side scanning”. This involves scanning messages before they are encrypted on the user’s device. However, this technology has been heavily criticized by numerous IT security researchers and encryption software manufacturers in a joint study. They describe CSS as a threat to privacy, IT security, freedom of expression and democracy, among other things because the technology creates security loopholes and thus opens up gateways for state actors and hackers.

The consequence of this law would be a significant intrusion into the privacy of all EU citizens, as every message would be checked automatically and without suspicion. The introduction of such a law would also have massive consequences for the providers of encrypted messaging services, as they would have to change their software fundamentally and introduce corresponding control mechanisms, but without jeopardizing the security of users, e.g., from criminal hackers.

There is another danger that must be considered: The introduction of such legally mandated automated control of systems for one area of application can always lead to a lowering of the inhibition threshold to use such systems for other purposes as well. This is because the same powers that are introduced in the name of combating child abuse could, of course, also be introduced for investigations in other areas.

It remains to be seen when the relevant legislation will be introduced and when and how it will be implemented. Originally, the bill was scheduled to be presented on December 1st, 2021, but this item has since been removed from the Commission’s calendar.

EDPB publishes draft Guidelines regarding data transfer clarifications

On November 19th, 2021, the European Data Protection Board (EDPB) published a new set of draft Guidelines 05/2021 on the interplay between the EU General Data Protection Regulation’s (GDPR) territorial scope, and the GDPR’s provisions on international data transfers.

The EDPB stated in their press release that “by clarifying the interplay between the territorial scope of the GDPR (Art. 3) and the provisions on international transfers in Chapter V, the Guidelines aim to assist controllers and processors in the EU in identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers.”

The Guidelines set forth three cumulative criteria to consider in determining whether a processing activity qualifies as an international data transfer under the GDPR, namely:

  • the exporting controller or processor is subject to the GDPR for the given processing activity,
  • the exporting controller or processor transmits or makes available the personal data to the data importer (e.g., another controller, joint controller, or a processor and
  • the data importer is in a third country (or is an international organization), irrespective of whether the data importer or its processing activities are subject to the GDPR.

If all three requirements are met, the processing activity is to be considered an international data transfer under the GDPR, which results in the requirements of Chapter V of the GDPR to be applicable.

The Guidelines further clarify that the safeguards implemented to accommodate the international data transfer must be tailored to the specific transfer at issue. In an example, the EDPB indicates that the transfer of personal data to a controller in a third country that is subject to the GDPR will generally require fewer safeguards. In such a case, the transfer tool should focus on the elements and principles that are specific to the importing jurisdiction. This includes particularly conflicting national laws, government access requests in the receiving third country and the difficulty for data subjects to obtain redress against an entity in the receiving third country.

The EDPB offers its support in developing a transfer tool that would cover the above-mentioned situation.

The Guidelines are open for public consultation until January, 31st, 2022.

European Commission pursues legal action against Belgium over independence of Data Protection Autority

16. November 2021

In its October Infringements Package, the European Commission has stated it is pursuing legal actions against Belgium over concerns its Data Protection Authority (DPA) is not operating independently, as it should under the General Data Protection Regulation (GDPR).

The Commission stated that it “considers that Belgium violates Article 52 of the GDPR, which states that the data protection supervisory authority shall perform its tasks and exercise its powers independently. The independence of data protection authorities requires that their members are free from any external influence or incompatible occupation.”

According to the European Commission, however, some members of the Belgian DPA cannot be regarded as free from external influence, as they either report to a management committee depending on the Belgian government, they have taken part in governmental projects on COVID-19 contact tracing, or they are members of the Information Security Committee.

On June 9th, 2021, the Commission sent a letter of formal notice to Belgium, giving the member state two months to take corrective measures. Belgium’s response to the Commission’s letter did not address the issues raised and the members concerned have so far remained in their posts. The European Commission is now giving Belgium two months to take relevant action. If this fails, the Commission may decide to refer the case to the Court of Justice of the European Union.

EDPB adopts new Guidelines on restrictions of data subject rights under Article 23 GDPR

25. October 2021

During its plenary session of October 2021, the European Data Protection Board (EDPB) adopted a final version of the Guidelines on restrictions of data subject rights under Art. 23 of the General Data Protection Regulation (GDPR) following public consultation.

The Guidelines “provide a thorough analysis of the criteria to apply restrictions, the assessments that need to be observed, how data subjects can exercise their rights after the restrictions are lifted, and the consequences of infringements of Art. 23 GDPR,” the EDPB stated in their press release.

Further, the Guidelines aim to analyze how the legislative measures setting out the restrictions need to meet the foreseeability requirement and examine the grounds for the restrictions listed by Art. 23(1) GDPR, as well as the obligations and rights which may be restricted.

These Guidelines hope to recall the conditions surrounding the use of the restrictions by the Member States in light of the Charter of Fundamental Rights of the European Union, and to guide Member States if they wish to implement restrictions under national law.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 ... 21 22 23 Next
1 2 3 4 23